Category: Information Cards

The Identity Mashup held last week at the Harvard Law School lived up to its name. There were an endless number of nooks and crannies and people with different trajectories talking and braintorming both in and between the sessions.

A lot of important things happened. I've already mentioned one key development: the anouncement of an Open Source Identity Selector project (OSIS). If you are new to the identity conversation, an Identity Selector is the steering wheel of user-centric identity – the way people select the identity (visualized through what we call an Information Card) appropriate to a given context. OSIS will create an equivalent to what CardSpace does on Windows. It's therefore an essential piece if we want to build an identity metasystem that reaches across platforms and devices,

But there's another deeply significant development: Red Hat, which lays claim to being “the world's most trusted provider of Linux and open source technology”, will be one of the key participants.

Why is this so important? First, because it helps bring us closer to a metasystem which truly reaches across all platforms. Second, because RedHat's participation is emblematic in conveying the idea that Information Cards really represent an open technology and a rallying point for the industry. Web sites can now add Information Cards and be confident they won't be accused of herding their customers towards any given platform.

As Pete Rowley said in explaining Red Hat's decision to participate, “With so many companies collaborating on the project it is clear that this is an important piece of the identity puzzle and that the industry recognizes the opportunity to work together for the common good.

“The open source movement is much more than just Linux and we're seeing significant interest from customers and the community in building a common framework for identity interchange on the internet.

“Like TCP/IP – having a common framework takes more than a standard to encourage adoption – there must be an express need and a community of use to embrace and extend – and with the number of folks worldwide now sharing conversations, there's an express need for easily confirming that you are conversing with who you think you are.

“Seeing the democratization of content take place on the Internet I am convinced that with the advent of ubiquitous user-centric identity systems there will be a sea change in the services offered and the way we use the Internet.”

Wow. I love this guy. I think I can hear the identity big bang starting just beyond the horizon. Hold on to your seats.

Here’s an encouraging story by Martin Banks of Britain's The Register. If Shelagh Callahan of Intel Systems Technology Lab has her way, we will have another stream of energy powering the Information Card paradigm and underlying Identity Metasystem.

If your digital identity is going to mean anything, it has to be secured, and Shelagh Callahan of Intel's Systems Technology Lab thinks that has to start on your PC. She compares the state of identity today to early car designs, each with a different way of starting the engine; today every car has a key and you just have to find the ignition.

“With identity, not only do we not know where to put the ignition key, we don't even know there is a key. We want to make the platform understand what a key is and how you can use it. The intent is to make platforms as capable to understand identities in the future, as they are currently able to understand devices – to know what they are, how to ‘load’ them, how to find and associate resources, how to delete them, how to establish policy for them and so on.”

Too many passwords, over-used identifiers that quickly lose any security they had (how hard is it to find your mother's maiden name?), poor privacy; the way we work with identity on our PCs is full of problems and it isn't flexile enough to actually do what we want it to. “I must know exactly who you are and how to find you but you must be able to be anonymous and I must be able to prove I'm not snooping. How can you be both strongly authenticated and anonymous?”

Single sign-on doesn't solve things, Callahan says. “With most solutions I have to give up control to get sanity.” And you'll never get one single sign-on. “Intel won't federate with Amazon or with my local utility company.” The only things all the services and suppliers have in common are you – and the devices you use.

The idea of the identity-capable platform is to authenticate to the platform itself on your device, rather than to a remote service. That avoids interception problems; you aren't broadcasting your biometrics or your smartcard authentication. You can prove who you are without handing over the credentials you use to prove it.

Callahan talks about a secure partition on your PC using the Trusted Platform Module chip. You authenticate yourself to the partition using a fingerprint reader, swipe card, mobile phone SIM or other secure methods and the partition provides your identity to remote sites and services, via web services being developed by the Liberty Alliance. There's no need for a site to deploy a Liberty Federation infrastructure to use ICP identities.

As well as authenticating you to services that need to know who you are, the identity platform can authorise you for services that need to know what you're allowed to do but not who you are. It can also introduce one person, service or device to another, again via web services.

If you travel, getting one bill for data connections from your mobile operator is simpler and often cheaper than paying for every hotspot individually – Callahan's team has worked on a prototype system where your mobile phone SIM gives you access to hotspots on your laptop. So if you want to set up a Wi-Fi account using the same identity as your mobile phone, the identity provisioning system can create a new identity that corresponds to the existing identity, using the TPM to lock the credentials to the platform for security. There will also be tools for linking identities (you might want to link a credit card identity to a membership identity so it gets renewed automatically), deleting identities and transporting them to other devices you use.

Services trust the platform because they trust that it's accurate and secure; the platform can assert how trustworthy it is by disclosing which secure method you've chosen to use. For users to trust it they have to be in control of where it identifies them, so there are policies for controlling who can use the authenticated identity claims you provide and what they can use them for.

“To the service providers the platform can act as a full partner in the infrastructure's identity strategy. And for the end user, their platform can safely store their personal information and they can more easily choose what they wish to disclose and to whom,” Callahan says. The platform can also store preferences and metadata connected to an identity.

Callahan sees the identity platform inside the PC becoming part of the identity metasystem that Microsoft's Kim Cameron and others are arguing for. Identity selection technologies like Microsoft's CardSpace (formerly InfoCard) could use the platform as a way of storing and authenticating your Information Cards, as could the connection manager for your network association or an identity provider like your ISP, bank or enterprise IT team.

“The identity-capable platform is a strong complement to identity infrastructure, not competition for it,” she says. “It is not about providing applications and services, but it is about making sure applications and services (including operating system level applications and services) can depend on consistent, standards-based support of identity functions.”

Multi-core chips and virtualisation make it easier to switch from thinking about multi-tasking to envisioning a PC with different partitions and platforms providing secure, isolated services, whether that's identity, the network connection or a third-party maintenance service. The combination of partitions and services is behind all of Intel's current platforms like ViiV and vPro – although the identity platform is still a research project rather than something planned for a specific Intel release.

David Berlind's not the only member of the Between the Lines team at the ID Mashup this week. I've been here as well, watching the identity happenings. The first two days were traditional conference style, but the third day of the workshop was done open space style. That's a great format for generating discussion and this example was no exception. I went to a session on reputation first thing that resulted in some very good ideas and principles on that important subject.

The second session I attended was a discussion of OSIS, the open source identity selector project. This project has server and client pieces as well as a security token service (STS). The server side pieces of OSIS will be part of the proposed Heraldry project at Apache. The primary purpose of Heraldry is to provide a home for open source identity projects, like OpenID. The client code and STS pieces will be part of the Eclipse Higgins project.

OSIS is more than just a small project to build open source identity selectors for Microsoft's CardSpace (formerly InfoCard); after all, that's been done. OSIS will support interoperability between the addressable identity systems (OpenID, LID, XRI) and card (or token) based identity systems (more notably CardSpace and Higgins). OSIS has the support of all of the major players (including Microsoft, Novell, IBM, SXIP, XRI, and Verisign).

This is really a historic development in the Internet identity space. Microsoft, before their own implementation of CardSpace even ships, is linking up with the larger identity community, including OpenID, LID, i-Names, and Higgins. Make no mistake, they've been participating and giving leadership to that community for a long time, but until now, it wasn't clear that all the various systems would be interoperable. OSIS aims to change that.

I don't actually agree with Phil's notion that “this has already been done”. But I agree it will be. The list of individuals and companies participating in OSIS is a who's who of important contributors.

Why not? The conference was full of remarkable milestones. I'll talk about some of the high level issues in subsequent posts.

But in terms of concrete and immediate progress, Michael McIntosh of IBM showed how he could use a Higgins “i-Card” to log in to my identityblog site. I know Michael and Paul Trevethick (from Social Physics) worked really hard to show skeptics that we throughout the industry are really coming together to make identity work across platforms.

In another demo, we saw more of Paul's work around an “information broker” – I”ll try to find a detailed writeup somewhere.

And to top it off, we got an eye-opening presentation by Montreal's Louise Guay. Her My Virtual Model is a must-see. Louise is a real visionary. Doc was reeling. For example, she offers us a personal avatar – you set it up with your measurements and characteristics and use it to find outfits with the look you want. And guess what? People are actually using it. And I'm just brushing the surface of her thinking.

Beyond the “cool factor” is the fact that she is turning marketing upside down. She's fully aware of the relationship between her avatars, the people who use them, and the great identity issues of our age. These are social artifacts people can share with their friends, but are also respectful of privacy – allowing us to get access to unprecedented personalization without sharing any identifying information.

Novell has launched an ambitious open source identity management project, which aims to allow companies to integrate different identity systems and provide a consistent approach to securing and managing identity.

Called â€œBandit,â€ the company quietly initiated the project earlier this year, and has been donating engineering resources and code to get things started.

Novell has a track record in identity management products and some credibility in the open source world, due to its acquisition of SuSE Linux, and is hoping that a freely available integration layer will mean more sales for the whole identity management market.

“Novell's initial sponsorship of the Bandit project is a natural extension of our leadership in both identity and open source, and we are gratified to see the groundswell of community support,” Novell Executive Vice President and CTO Jeff Jaffe said in a statement.

The company has lined up support for Bandit from a number of key industry players, including ActivIdentity, Eclipse, IBM, Liberty Alliance, Microsoft, Novacoast, Red Hat, Sun, Sxip Identity, Symantec and Trusted Network Technologies.

“The Identity Metasystem provides a model for identity interoperability across the industry. We're happy to see Novell playing an active role in helping realize the Identity Metasystem and look forward to working with them to ensure interoperability between our respective products,” said Kim Cameron, architect of Identity and Access for Microsoft, in a statement.

The Bandit services will work with existing industry standards such as the WS-* standards, Liberty Federation and Eclipse Higgins. Indeed Bandit has some overlap with the open-source Higgins effort, Novell has acknowledged, and Bandit's developers are planning a Higgins context provider based on Bandit's Common Identity service. The context provider is the way the Higgins framework accesses different identity repositories.

Ultimately, Bandit aims to provide an easier approach to problems such as secure, role-based access and regulatory compliance reporting, Novell said. The project's four main components are the Common Authentication Services Adapter (CASA), the Common Identity service, the Role Engine service and the Audit Record Framework service.

Industry analysts have said the initiative appears promising, given Novell's background and the apparent willingness of other heavyweights to participate.

“This is not the first open source identity management initiative, but the involvement of identity management heavyweight Novell is significant,” said Neil Macehiter, partner at analyst firm Macehiter Ward-Dutton, in a research note. “The fact that the project is focusing on higher-level identity management issues gives it added significance.”

Dale Olds, the distinguished engineer behind the initiative, has shown a lot of leadership in the open source community by throwing Novell's support behind Information Cards. He's a serious guy – serious about interoperabilility.

Dale's belief that identity can't have boundaries or borders is palpable. We'll all benefit from his work.

My friend and colleague Steven Woodward has started a blog at Steve's Identity Corner. He told me he will be writing about uses for Information Cards emerging from his conversations with customers. For now he is structuring his pieces around a look at phishing – he'll be drilling down into how Information Cards help address the problem.

Over the last few years we have all experienced the constant barrage of Phishing attacks. These are not only a pain for all of us as end users, as we carefully pick through our email trying to figure out whatâ€™s real and what isnâ€™t, but also an unending headache for those trying to run the commercial web sites we link to. So letâ€™s take a step back for a moment to look at how these attacks are possible, after all weâ€™re smart people we shouldnâ€™t be fooled that easily â€¦.

There are three distinct steps to any Phishing attack for the sake of making this simple letâ€™s just call them Casting the Bait, Reeling in the Catch and Stealing the Prize.

Casting the Bait â€“ since the initial goal of the phisher is to get you to go to their web site the first thing to do is to deliver you a URL in an email message. This email has to convince you that not only is it from a real company but that you should take the additional action of clicking on the link it contains. Weâ€™ve all seen the â€œthere has been a change in your account details and we need you to verify themâ€ email, complete with nice graphics and company logoâ€™s from a familiar company. The first few times we see these we naively click on the link and off we go to who knows where to try and verify our account details. Of course given the amount of spam we all receive itâ€™s not surprising that at times itâ€™s hard for us to tell the good mail from the bad. In recent years many efforts have been made to reduce the amount of spam and as the junk mail filters have become more sophisticated we are weeding out a lot more than we used to, but there is still more work to be done.

Reeling in the Catch â€“ have you ever thought about how easy it is to fake a web site, think about that for a moment if I go up to any webtsite today I bet I can copy half their logoâ€™s and art work straight off of their home page. In no time at all a half decent web designer could mock up a site that is close enough to the real thing to fool 90% of the people who saw it.

In fact thatâ€™s what Researchers at Harvard University and UC Berkeley did in order to do some research on Phishing. Now compare that with how hard it is to fake a real brick and mortar business, say a bank or a book store. One of the reasons so many people get phished is because it is very hard for most users to tell the difference between a fake site and the real site. In fact many users today have no idea what any of the so called security measureâ€™s we have in place today even mean. Ask some of your non-technical friends to explain what an SSL certificate is and how they can tell when a site has one. Now ask them how they know thatâ€™s a real cert and not one that was issued to a spurious company in Nigeria. On the whole we as an industry have come up pretty short in terms of protecting our users from going to sites that they canâ€™t identify.

Stealing the Prize â€“ in many cases the prize is your username and password. Firstly this is because the Phisher can now get access to the site that they faked, secondly the chances are you also use that username and password other places, and they are going to go after those too.

But wait. I hear you cry, “I have several passwords that I use on different sites depending on the value associated with an account.”

So imagine this, you get tricked into going to a fake site, it asks you for your username and password, you type them in and â€œUser Authentication Failed, please try againâ€. So you think to yourself maybe I used one of my other username and password pairs, so you try again, and fail. Eventually you think maybe I just typed the password wrong the first time! So you re-enter it and the site lets you in (and redirects you to the real site), now the Phishing site not only has the username and password for the site they faked, but chances are they also stole the other 4 combinations you use.

And yes this happened to someone I know, oops. So username and passwords arenâ€™t solving the problem today of how we get users to authenticate to our sites. And we need to keep it simple enough that all users from the technically savvy to novice users can just as easily and securely authenticate, without the need for username and password.

As you can see the method of attack is pretty straightforward and if wasnâ€™t for the fact that we prefer to operate on the right side of the law, Iâ€™m sure we could all make a pretty decent living doing it. One of the big challenges for us as an industry is that it covers multiple technologies email clients, browsers, SSL certificates and user authentication systems, all of which may be provided by different vendors, any one of which doesnâ€™t feel like they can solve the problem.

Over the next few weeks Iâ€™m going to cover each of these topics and explain the work that we are doing here at Microsoft to address these issues and in addition other industry wide efforts I come across. Iâ€™m not saying that we can stop these attacks completely but by changing the rules a little we can at least start to fight back. Lets face it we are dealing with some pretty sophisticated criminals intent on stealing from all of us if they can, we just have to make it a lot harder for them to do their job.

I have to gently disagree with Kim Cameron about the renaming of InfoCard. Personally, I thought it [InfoCard] was a fine name. Then again I am a Mac user and Keychain just makes sense.

Now, it has the Windows name in it. Why? Second, contains the word space, similar to namespace, which I think of in technical terms like an XML namespace and my unscientific interviews this morning produced much head scratching from regular people. Not a big deal in the grand scheme of things but still irks me.

So from now on, I'll be writing about Information Cards. I hope that one day Apple will have a way to use Information Cards. Not to mention Linux and Unix and telephones and iPods. I hope they all behave in a more or less recognizable way, just as we can all get into a car we've never seen before, look at the steering wheel and pedals, and know how to drive it – inspite of every car having its own character.

Our research shows the growing understanding of “InfoCards” will transfer just fine to “Information Cards.”

In fact if someone kept calling them InfoCards or ICards or Cards the meanings would all still hold together.

But as a name that reaches across the industry, it is best to have one that no one owns, and that we don't have to debate, because it is just a generic statement of purpose.

Meanwhile, we have the small detail of this implementation on Windows and the fact that it's going to ship soon. Our implementation is a place where you can put your Information Cards. So we're calling that your CardSpace. We don't intend to Windows it to death – I expect it will normally be refered to as CardSpace once you are inside the Windows world. Of course, I don't work for the Department of Naming and don't have my branding license.

For the last year, my friends and colleagues in other companies and organizations have been hard core about wanting me to better separate between the “Identity Metasystem”, the “cards” that stand for identity relationships, and the Microsoft Implementation of all this. I think everyone wants to participate in the emerging identity metasystem. But people don't want their participation to be seen as too closely mixed up with Microsoft's implementation.

In the early days of the project I didn't understand all these complex issues so we ended up with the same name being used for all three purposes.

Now, we've tried to do what our colleagues have been asking for. The name of the “big idea” – Information Cards – is generic and belongs to the industry and the world. The Identity Metasystem is something each of us contributes to in our own way. Windows CardSpace is Microsoft's implementation of an identity selector on the Windows client.

I will be working with colleagues from other companies on a common logo that can be displayed wherever Information Cards are accepted.

I should have made all of this clearer when I first blogged about it. But thanks to the miracle of the Blogosphere it's possible to see when you haven't been clear about what you are doing. So, I hope this helps.